Today we came across a possible security problem when you use flow script. We tested the following example with 2.1.5.1 and the current 2.1.x branch. Here is a simple example:
We have two areas in our web application, one is available for every user and one area is only accessible for authenticated users. We create two sub sitemaps - one for each area. Both are using flow with different scripts. The second sitemap is protected by using the authentication framework (how the authentication is done is actually not important).
...but that *is* important: if you would be using a flow based authentication mechanism this is not a problem at all.
So it seems that it would be good if we would have some further checks. I think, it would be good if flow would check if the continuation id belongs to the sitemap where the map:call is performed. Currently the ids are global and not on a per sitemap level.
We could create a continuation manager per sitemap. ...but I am not really sure whether this is a good idea to make this the default.
Or we store the continuations in the session. Or?
That would also be an option. On the other hand this would make a session mandatory for continuations.
...which is not necessarily needed.
cheers -- Torsten
